Security mediation for dynamically programmable network

ABSTRACT

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.15/621,774, filed Jun. 13, 2017; which is a continuation of U.S.application Ser. No. 13/801,871, filed on Mar. 13, 2013, now U.S. Pat.No. 9,705,918 issued Jul. 11, 2017 and also claims the benefit of andpriority to U.S. Provisional Application No. 61/650,287, filed May 22,2012. Each of the preceding applications are incorporated herein byreference in their entirety.

STATEMENT AS TO RIGHTS TO INVENTIONS MADE UNDER FEDERALLY SPONSOREDRESEARCH AND DEVELOPMENT

This invention was made in part with government support under contractnumber W911NF-06-1-0316 awarded by the Army Research Office. TheGovernment has certain rights in this invention.

BACKGROUND

Software-defined networking refers to an approach to building a computernetwork that allows for programmable network switch infrastructures, inwhich the rules that determine how the network switches are to processnetwork flows can be dynamically specified and changed. Suchprogrammability is useful, for instance, in the management of virtualcomputing resources that may be spawned or terminated on demand. TheOPENFLOW network model is one example of a protocol that may be used toimplement software-defined networking.

According to traditional notions of network perimeter defense, networksecurity may be provided by a well-defined (e.g., static) securitypolicy that can be instantiated for a particular network topology. Intraditional network environments, the security policy often can bedeployed and enforced consistently across the network infrastructure.

BRIEF SUMMARY

According to at least one embodiment of this disclosure, a securitymediation service to enforce a security policy at an interface to anetwork switch of a dynamically programmable computer network, embodiedin a computing system coupled to the network, includes a sourceauthenticator to authenticate a source of a packet disposition directivethat may be implemented by the network switch to control the flow ofcommunications across the network, where the source includes one of anetwork administrator and a software application; and a conflictanalyzer to determine whether to implement the packet dispositiondirective at the network switch based on one or more of a roleassociated with the source of the packet disposition directive and acapability associated with the source of the packet dispositiondirective.

The conflict analyzer may compare the role of the source of the packetdisposition directive to roles that are associated with the sources ofcurrently active packet disposition directives that currently controlthe flow of communications across the network, and may determine whetherthe packet disposition directive should be implemented at the networkswitch based on whether the role of the source of the packet dispositiondirective has a higher priority than the roles of the sources of thecurrently active packet disposition directives. The role may bedetermined based at least in part on whether the source is a networkadministrator, a network security application, or another type ofsoftware application. The capability may be based at least in part onwhether the packet disposition directive is signed with a digitalsignature.

The source authenticator may use a public key to authenticate the sourceof the packet disposition directive and the capability may be based atleast in part on whether the source of the packet disposition directiveis authenticated. The role may be based at least in part on acommunication channel used to communicate the packet dispositiondirective to the security mediation service. The role may be based atleast in part on a process from which the packet disposition directiveoriginated. The security mediation service may communicate the packetdisposition directive to the network switch if the security mediationservice determines that the packet disposition directive should beimplemented at the network switch.

The network may include a plurality of network switches and the securitymediation service may coordinate the communication of the packetdisposition directive to the plurality of network switches. The securitymediation service may communicate the packet disposition directive toall of the network switches before it communicates the packetdisposition directive to a switch from which a communication wasreceived that triggered the packet disposition directive. The networkswitches may each have a local flow table and the security mediationservice may insert the packet disposition directive in each of the localflow tables if the security mediation service determines that the packetdisposition directive should be implemented at the network switches. Thesecurity mediation service may include a security directive translatorto prepare the packet disposition directive based on a network securitypolicy associated with the source. The security mediation service mayinclude a state table manager to maintain consistency between anaggregate table of currently active packet disposition directives acrossa plurality of network switches including the network switch and a localtable of flow rules resident at the network switch. The securitymediation service may include a switch manager to communicate messagesrelating to the status of the local table of flow rules to the securitymediation service.

The conflict analyzer may determine whether the packet dispositiondirective conflicts with one or more currently active packet dispositiondirectives that currently control the flow of communications across thenetwork. The packet disposition directive may include one or more of: adirective to enable or disable one or more ports of the network switch,a directive to request the network switch to generate network traffic inresponse to a specified network condition, a flow rule to controlnetwork flows at the network switch, and another type of directive thatmay change the behavior or configuration of the network switch. One ormore embodiments of the security mediation service may include anycombination of any of the foregoing aspects of the security mediationservice.

According to at least one embodiment of this disclosure, a networkcontroller may be embodied in one or more machine accessible storagemedia and may be configured to interface with software applications andwith the network switch, and the network controller may include anycombination of any of the foregoing aspects of the security mediationservice.

According to at least one embodiment of this disclosure, a networkvirtualization layer may be embodied in one or more machine accessiblestorage media and may be configured to interface with softwareapplications and with the network switch, and the network virtualizationlayer may include any combination of any of the foregoing aspects of thesecurity mediation service.

According to at least one embodiment of this disclosure, a method forenforcing a security policy at an interface to a network switch of adynamically programmable computer network, includes, with a computingsystem coupled to the network: receiving a packet disposition directivefrom the network, where the packet disposition directive may beimplemented by the network switch to effect a change in the behavior orconfiguration of the network switch; determining a role associated withthe packet disposition directive; determining whether the packetdisposition directive conflicts with a currently active network securitypolicy, where the currently active security policy currently controlsthe behavior and configuration of the network switch; and in response todetermining that the packet disposition directive conflicts with thecurrently active network security policy, determining whether toimplement the packet disposition directive at the network switch basedon the role associated with the packet disposition directive.

The method may include determining whether a digital signature isassociated with the packet disposition directive. The method mayinclude, in response to determining that a digital signature isassociated with the packet disposition directive, analyzing the digitalsignature associated with the packet disposition directive anddetermining a capability associated with the packet dispositiondirective based on the analysis of the digital signature, where thecapability determines whether the packet disposition directive mayeffect a change in the behavior or configuration of the network switch.The method may include determining a communication channel associatedwith the packet disposition directive and determining the role based onthe communication channel. The method may include identifying a sourceof the packet disposition directive and determining the role based onthe identity of the source. Embodiments of the method may include anycombination of any of the foregoing aspects of the method.

According to at least one embodiment of this disclosure, a method forenforcing a security policy at an interface to a network switch of adynamically programmable computer network includes, with a computingsystem coupled to the network: identifying a source of one or morepacket disposition directives, where the packet disposition directivesmay be implemented by the network switch to effect changes in thebehavior or configuration of the network switch; verifying the identityof the source using an authentication technique; assigning a role to thesource based at least in part on whether the source is a networkadministrator or a software application, where the role includesinformation that may be used to determine whether packet dispositiondirectives produced by the source may be implemented by the networkswitch; and storing the role for use in evaluating packet dispositiondirectives for implementation by the network switch.

The method may include determining the role based on whether the sourceis a network administrator, a network security application, or anothertype of software application. The role may have a lower priority if thesource is a network security software application than if the source isa network administrator. The role may have a higher priority if thesource is a network security software application than if the source isanother type of software application. The role may have a higherpriority if the source has a digital signature. The method may includedetermining a communication channel associated with the source andassigning the role based on the communication channel. The method mayinclude determining a process associated with the source and assigningthe role based on the process. The method may include assigning acapability to the source that allows the source to issue packetdisposition directives to modify the configuration or behavior of thenetwork switch, in response to authenticating the identity of thesource. Embodiments of the method may include any combination of any ofthe foregoing aspects of the method.

According to at least one embodiment of this disclosure, a method forenforcing a security policy at an interface to a network switch of adynamically programmable computer network includes, with a computingsystem coupled to the network: receiving a packet disposition directivefrom the network, the packet disposition directive comprising acandidate flow rule that may be implemented by the network switch tocontrol the flow of communications across the network; determiningwhether the candidate flow rule conflicts with one or more flow rules ina set of currently active flow rules, where the currently active flowrules currently control the flow of communications across the network;and in response to determining that the candidate flow rule does notconflict with any of the currently active flow rules, adding thecandidate flow rule to the set of currently active flow rules.

The method may include comparing the candidate flow rule to each of theflow rules in the set of currently active flow rules before thecandidate flow rule is communicated to the network switch. The candidateflow rule and each of the currently active flow rules may include anaction that determines how communications to which the rule applies aredisposed of by the network switch, and the method may include, for eachof the currently active flow rules: comparing the action specified bythe candidate flow rule to the action specified by the currently activeflow rule, and if the action specified by the candidate flow rule is thesame as the action specified by the currently active flow rule,determining that the candidate flow rule does not conflict with thecurrently active flow rule. The method may include determining whetherthe candidate flow rule includes a set action, where the set actionmodifies communications to which it applies. The method may include, inresponse to determining that the candidate flow rule includes a setaction, expanding the candidate flow rule to include the modificationspermitted by the set action. The currently active flow rules may eachhave a priority, and the method may include comparing the expandedcandidate flow rule to the currently active flow rules in order ofdecreasing priority. The method may include determining that thecandidate flow rule conflicts with the set of currently active flowrules if the expanded candidate flow rule conflicts with any of thecurrently active flow rules. Embodiments of the method may include anycombination of any of the foregoing aspects of the method. According toat least one embodiment of this disclosure, a security mediation serviceto enforce a security policy at an interface to a network switch of adynamically programmable computer network, where the security mediationservice is embodied in a computing system coupled to the network,includes a flow rule state manager to manage data relating to a set ofcurrently active flow rules, where the currently active flow rulescurrently control the flow of communications across the network; and aconflict analyzer to determine whether a candidate flow rule conflictswith any of the currently active flow rules, and add the candidate flowrule to the set of currently active flow rules if the candidate flowrule does not conflict with any of the currently active flow rules.

The candidate flow rule and each of the currently active flow rules mayinclude an action that determines how a communication is to be disposedof by the network switch if the rule applies to the communication, andthe conflict analyzer may compare the action specified by the candidateflow rule to the action specified by each of the currently active flowrules. The candidate flow rule and each of the currently active flowrules may include a plurality of match fields each including a valuethat determines whether the candidate flow rule applies to acommunication, and the conflict analyzer may compare the match fields ofthe candidate flow rule to the corresponding match fields of each of thecurrently active flow rules. In some embodiments, if the candidate flowrule permits another value to be substituted for the value of a matchfield of the candidate flow rule, the conflict analyzer may expand thecandidate flow rule to include the value and the other value that may besubstituted for the value of the match field, and may compare theexpanded candidate flow rule to each of the currently active flow rules.In some embodiments, for each of the currently active flow rules, theconflict analyzer may expand the currently active flow rule to includeany values that may be substituted for the values of the match fields ofthe currently active flow rule, and may compare the expanded candidateflow rule to each of the expanded currently active flow rules. Thesecurity mediation service may update the set of currently active flowrules to include the expanded candidate flow rule if the expandedcandidate flow rule does not conflict with any of the expanded currentlyactive flow rules. The security mediation service may communicate thecandidate flow rule to the network switch if the candidate flow ruledoes not conflict with any of the currently active flow rules. Thesecurity mediation service may include a source authenticator toauthenticate a source of the candidate flow rule, where the sourceincludes one of a network administrator and a software application; anda conflict analyzer to determine whether to implement the candidate flowrule at the network switch based on a role associated with the source ofthe candidate flow rule. Embodiments of the security mediation servicemay include any combination of any of the foregoing aspects of thesecurity mediation service.

According to at least one embodiment of this disclosure, a networkcontroller may be embodied in one or more machine accessible storagemedia and may be configured to interface with software applications andwith the network switch, and the network controller may include anycombination of any of the foregoing aspects of the security mediationservice.

According to at least one embodiment of this disclosure, a networkvirtualization layer may be embodied in one or more machine accessiblestorage media and may be configured to interface with softwareapplications and with the network switch, and the network virtualizationlayer may include any combination of any of the foregoing aspects of thesecurity mediation service.

According to at least one embodiment of this disclosure, a method forenforcing a security policy at an interface to a network switch of adynamically programmable computer network includes, with a computingsystem coupled to the network: receiving a candidate flow rule from thenetwork, where the candidate flow rule may be implemented by the networkswitch to control the flow of communications across the network, and thecandidate flow rule includes match criteria having values that determinewhether the candidate flow rule applies to a communication; determiningwhether the candidate flow rule permits other values to be substitutedfor any of the values of the match criteria; and deriving an expandedcandidate flow rule from the candidate flow rule, where the expandedcandidate flow rule includes the values of the match criteria and theother values.

The match criteria may include a plurality of match fields, and theexpanding may include, for each of the match fields, deriving an aliasset comprising the value of the match field and the other values thatmay be substituted for the value of the match field. The method mayinclude determining whether the expanded candidate flow rule conflictswith a set of currently active flow rules, where the set of currentlyactive flow rules currently controls the flow of communications acrossthe network; and in response to determining that the expanded candidateflow rule does not conflict with any of the currently active flow rules,adding the expanded candidate flow rule to the set of currently activeflow rules. The currently active flow rules may each be associated witha role, and the method may include comparing the candidate flow rule tothe set of currently active flow rules in a priority order based on theroles assigned to the currently active flow rules. The method mayinclude, for each of the match fields, determining whether the alias setintersects with a corresponding match field of each of the currentlyactive flow rules. In the method, where each of the currently activeflow rules includes match criteria having values that determine whetherthe currently active flow rule applies to a communication, the methodmay include expanding each of the currently active flow rules to includethe values of the match criteria and any values that may be substitutedfor the values of the match criteria. The method may include comparingthe expanded candidate flow rule to each of the expanded currentlyactive flow rules. The match criteria of each of the currently activeflow rules may include a plurality of match fields, and the expandingmay include, for each of the match fields of each of the currentlyactive flow rules, deriving an alias set comprising the value of thematch field of the currently active flow rule and the other values thatmay be substituted for the value of the match field of the currentlyactive flow rule. The match fields of the candidate flow rules and thematch fields of each of the currently active flow rules may include asource field and a destination field, and the method may includedetermining whether the alias set of the source field of the candidateflow rule intersects with the alias set of the source field of any ofthe currently active flow rules and determining whether the alias set ofthe destination field of the candidate flow rule intersects with thealias set of the destination field of any of the currently active flowrules. The method may include updating the alias sets of each of thecurrently active flow rules if the expanded candidate flow rule is addedto the set of currently active flow rules. Embodiments of the method mayinclude any combination of any of the foregoing aspects of the method.

According to at least one embodiment of this disclosure, a method forenforcing a security policy for a dynamically programmable networkincludes, on the network: maintaining a set of currently active packetdisposition directives, where the set of currently active packetdisposition directives changes over time, and the currently activepacket disposition directives are implemented at network switches tocontrol one or more of the behavior and the configuration of the networkswitches at a current point in time; receiving, from a source of packetdisposition directives, a candidate packet disposition directive that isnot part of the set of currently active packet disposition directives;determining whether the candidate packet disposition directive violatesthe security policy; and in response to determining that the candidatepacket disposition directive does not violate the current securitypolicy, implementing the packet disposition directive at the networkswitches.

The method may include determining a role associated with the source ofthe candidate packet disposition directive to determine whether thecandidate packet disposition directive violates the security policy,where the role may include one of a network administrator and a softwareapplication. The method may include determining a capability associatedwith the source of the candidate packet disposition directive todetermine whether the candidate packet disposition directive violatesthe security policy, where the capability may indicate whether thesource can change the behavior and/or configuration of the networkswitches. The method may include determining whether the candidatepacket disposition directive conflicts with any of the currently activepacket disposition directives to determine whether the candidatedisposition directive violates the security policy. Embodiments of themethod may include any combination of any of the foregoing aspects ofthe method.

BRIEF DESCRIPTION OF THE DRAWINGS

This disclosure is illustrated by way of example and not by way oflimitation in the accompanying figures. The figures may, alone or incombination, illustrate one or more embodiments of the disclosure.Elements illustrated in the figures are not necessarily drawn to scale.Reference labels may be repeated among the figures to indicatecorresponding or analogous elements.

FIG. 1 is a simplified block diagram of at least one embodiment of adynamically programmable network including a security mediation service;

FIG. 2 is a simplified flow diagram of at least one embodiment of amethod by which the security mediation service of FIG. 1 may dynamicallymonitor packet disposition directives for compliance with a securitypolicy;

FIG. 3 is a simplified flow diagram of at least one embodiment of amethod by which the security mediation service of FIG. 1 may detect flowrule conflicts;

FIG. 4 is a simplified flow diagram of at least one embodiment of amethod by which the security mediation service of FIG. 1 may resolveflow rule conflicts in accordance with a security policy;

FIG. 5 is a simplified flow diagram of at least one embodiment of amethod by which the security mediation service of FIG. 1 may manage datarelating to currently active packet disposition directives;

FIG. 6 is a simplified flow diagram of at least one embodiment of amethod by which the security mediation service of FIG. 1 may registersources of packet disposition directives; and

FIG. 7 is a simplified block diagram of an exemplary computingenvironment in connection with which at least one embodiment of thesecurity mediation service of FIG. 1 may be implemented.

DETAILED DESCRIPTION

While the concepts of the present disclosure are susceptible to variousmodifications and alternative forms, specific embodiments thereof areshown by way of example in the drawings and are described in detailbelow. It should be understood that there is no intent to limit theconcepts of the present disclosure to the particular forms disclosed. Onthe contrary, the intent is to cover all modifications, equivalents, andalternatives consistent with the present disclosure and the appendedclaims.

Dynamically programmable networks, some embodiments of which may bereferred to as software-defined networks or SDNs, present several newand unique challenges to the effective enforcement of traditionalsecurity policies. For instance, many different network flow controlapplications may be active on a particular SDN. These networkapplications may attempt to change the network flow control policiesdynamically. Further, some network applications may incorporate securityvulnerabilities, or may possibly be written by adversaries who wish touse the network application to take control of the network. In somecases, the flow control policies of the various active networkapplications may potentially conflict, in that some of the flow policiesmay be contradictory or may attempt to evade or override other flowpolicies.

For instance, in an evasion scenario referred to herein as dynamic flowtunneling, a network application may seek to evade an existing flow ruleby adding a series of flow rules that redirect packets “around” theexisting flow rule by modifying the packet header information (using,e.g., a “goto table” directive or “set” action). As an example, in ahypothetical SDN, suppose there are three host computers, one networkswitch, and one network controller (where a “network controller” in SDNterminology refers to software that acts as an interface between otherrunning software applications, which produce network flows, and theswitches or other packet-forwarding devices on the network). Supposefurther that a firewall implemented as a network application on thehypothetical SDN has implemented a flow rule that requires the blockingof network packets that specify a particular source Internet Protocol(IP) address and a particular destination IP address. For instance, thefirewall's flow rule may require packets from an outside host identifiedby an address, 10.0.0.2, that are directed to a web service identifiedas port 80, running on a host identified by an address, 10.0.0.4, to beblocked. Another network application may then attempt to add three newflow rules to be implemented by the network controller as follows. Thefirst proposed rule modifies the source IP address of a packet to10.0.0.1 if a packet is delivered from 10.0.0.2 to 10.0.0.3 (port 80).The second proposed rule changes the destination IP address of a packetto 10.0.0.4 if a packet is delivered from 10.0.0.1 to 10.0.0.3 (port80). The third proposed rule simply allows the forwarding of a packetfrom 10.0.0.1 to 10.0.0.4 at port 80. None of these flow rules, takenindividually, conflicts with the firewall's flow rule and thus would beimplemented by the network controller, in the absence of securityfeatures such as those described herein.

If these proposed flow rules were to be implemented, the firewall's flowrule that blocks packets from 10.0.0.2 to 10.0.0.4 could be evaded. Toillustrate this, suppose the host 10.0.0.2 sends a data packet to port80 of the host 10.0.0.3. This packet can bypass the firewall because itdoes not directly go to the host 10.0.0.4, but to 10.0.0.3. However,this packet will eventually be delivered to the host 10.0.0.4 by thenetwork controller even if there is a firewall forbidding such traffic,as a result of the second and third proposed flow rules above. In thisway, an inadvertently erroneous or malicious network application canevade an existing firewall by simply adding a few flow rules.

These and other challenges can be addressed by implementing anon-bypassable security mediation service on the dynamicallyprogrammable network. As disclosed herein, embodiments of the securitymediation service can monitor and evaluate flow rule insertion requestsand other packet disposition directives (e.g., “packet-outs,” “portmods,” etc.) against a dynamically-changing security policy, and can doso in “real time,” e.g., in response to the directives being produced bythe network administrator and/or various software applications runningon the network and before the directives are implemented by the networkdevices (e.g., switches). Embodiments of the security mediation servicemay enforce and preserve the integrity of the dynamically programmablenetwork's security policy by providing role-based source authentication,conflict detection, conflict resolution, or any combination thereof.Some embodiments of the disclosed security mediation service are alsodescribed, for example, in Phillip A. Porras et al., A SecurityEnforcement Kernel for OpenFlow Networks, HotSDN'12, at 121-126 (Aug.13, 2012); and Phillip A. Porras, Empowering Dynamic Network DefensesAcross OpenFlow Networks, delivered at the SDN Security Seminars 2012 onFeb. 28, 2012, in San Francisco, Calif., both of which are incorporatedherein by this reference. Other materials describing embodiments of thedisclosed security mediation service, including video materials byPhillip A. Porras entitled Inside Fort Knox, Security ConstraintsEnforcement, Reflector Nets, and Automated Quarantine, are posted athttp://www.openflowsec.org/ and incorporated herein by this reference.Additionally, Mr. Porras discussed embodiments of the disclosed securitymediation service in an interview posted on Jul. 3, 2012 athttp://www.sdncentral.com/sdn-blog/phil-porras-openflow-secure-controller-/2012/07/(Interviewwith Phil Porras: Lack of Secure Controller Hurting OpenFlow?) and in aninterview posted on Feb. 26, 2013 athttp://www.sdncentral.com/sdn-blog/sdn-security-oxymoron-phil-porras-sri/-2013/02/(SDN Security—An Oxymoron? New Interview with Phil Porras of SRIInternational), both of which are incorporated herein by this reference.

Referring now to FIG. 1, an embodiment of a security mediation service150 for a dynamically programmable network 100 is embodied in a networkcontroller/switch interface 120. The illustrative dynamicallyprogrammable network 100 is embodied as a packet-switching digitalcommunications network that is implemented using a software-definednetworking approach (such as the OpenFlow protocol). In someembodiments, the network 100 may correspond to a physical or logical(e.g., virtualized) subset of a larger network, such as a “networkslice.”

The illustrative network controller/switch interface 120 controls thenetwork communications between software applications 110, 112 and one ormore network switches 132, 134, 136 on the network 100. As such, theillustrative security mediation service 150 typically executes in aseparate process space from at least the external network applications112 and is also usually separated from any processes that may be runningat the switches 132, 134, 136. For example, in the illustratedembodiments, the security mediation service 150 is not implemented aspart of a firewall.

The network controller/switch interface 120 may be embodied as asoftware abstraction of the network control layer of the networkswitches 132, 134, 136. For instance, the network controller/switchinterface 120 may be implemented as part of or as an extension to an SDNcontroller, such as an OpenFlow controller. Some vendors of SDNcontrollers include Big Switch Networks, HP, IBM, VMWare, and Juniper.In other embodiments, the controller/interface 120 may be embodied in ashim layer between a network controller and the network applications110, 112, or as part of another type of network virtualization layer.One example of a network virtualization layer for an SDN (and OpenFlow,specifically) is FlowVisor, developed by Stanford University, DeutschTelecom, Inc., and Nicira Networks. In any case, the networkcontroller/switch interface 120 may execute on one or more computingdevices (e.g., servers), separately from the network switches 132, 134,136 and/or separately from other computing devices on which theapplications 110, 112 may be running.

The network controller/switch interface 120 may be connected to each ofthe switches 132, 134, 136 using, e.g., a dedicated control connection.The network switches 132, 134, 136 each may be embodied as, for example,a switch, a router, a load balancer, a learning switch, or another typeof network device. The switches 132, 134, 136 each communicate with oneor more servers 190 to effectuate the flow of network traffic 124 acrossthe network 100 in accordance with a network security policy. As usedherein, terms such as “network traffic” and “network flow” refer to, inthe context of the network 100, sequences of data packets from a sourcecomputer to a destination, where the destination may be, for example,another host, a multicast group, or a broadcast domain. In some cases,network flow may refer to a logical equivalent of a call or aconnection. A network flow may include all of the data packets in aspecific transport connection or media stream. However, a network flowneed not be directly mapped to a transport connection. A network flowcan also be thought of as a set of data packets that pass an observationpoint in the network during a certain time interval.

The security policy for the dynamically programmable network 100 may beestablished by, for example, a network administrator. As used herein,the term “network administrator” may refer to, for example, a humanoperator, a network security software application, and/or a computerizedagent or delegate of a human operator, such as a software applicationthat acts under the direction of or in response to inputs from the humanoperator. The security policy may be implemented at the switches 132,134, 136 as a number of network flow rules, which are maintained at theswitches 132, 134, 136 in local flow tables 142, 144, 146. The localflow tables 142, 144, 146 are used by their respective switches 132,134, 136 to instantiate flow rules at the switch and direct the networktraffic 124 between the servers 190. Each of the switches 132, 134, 136updates its respective local flow table 142, 144, 146 in accordance withthe packet disposition updates 122. In some embodiments, the switches132, 134, 136 may communicate changes in the local flow tables 140 backto the security mediation service 150. For simplicity, the illustrativenetwork 100 is shown with three network switches 132, 134, 136 havinglocal flow tables 142, 144, 146, respectively; however, the network 100may include any number of switches 132, 134, 136.

Each of the servers 190 may be embodied as any suitable type ofcomputing resource, e.g., a server computer, group of server computers,or one or more other devices that are configured to communicate with theswitches 132, 134, 136 to send and receive data packets over the network100. For simplicity, the illustrative network 100 is shown with a fixednumber of servers 190 per switch 130; however, the network 100 mayinclude any number of servers 190 in communication with any number ofswitches 130.

The security mediation service 150 includes a security mediator 172,which receives packet disposition directives 154 from the networkapplications 110, 112 in a non-bypassable manner. That is, theillustrative security mediator 172 is implemented between theapplications 110, 112 and the network switches 132, 134, 136, so thatall packet disposition directives 154 pass through or are intercepted bythe security mediator 172 before being implemented by the switches 132,134, 136. The security mediator 172 evaluates the packet dispositiondirectives 154 based on the then-current network security policy, asdescribed in more detail below. After a packet disposition directive 154has been evaluated by the security mediator 172, the security mediationservice 150 may communicate a corresponding packet disposition update122 to one or more of the network switches 132, 134, 136.

As used herein, a “packet disposition directive” refers generally to anycomputer logic that determines or results in the disposition of one ormore data packets by the switches 132, 134, 136 on the dynamicallyprogrammable network 100, or that changes the switches' behavior orconfiguration in any way. Some examples of potential packet dispositionsinclude “forward” (in which a data packet is sent on to its next,intermediate or final, destination), “drop” (in which a switchdeliberately does not send a data packet on to its next destination,because, for example, the switch's capacity is overloaded or the switchbelieves that the packet is part of a denial-of-service attack), and“modify” (in which information in the packet header is modified by thedirective). Thus, packet disposition directives 154 can include flowrule insertion requests as well as other types of communications thatresult in a packet disposition without specifying a flow rule, such as“packet-outs” and “port mods.” A packet-out refers, generally, to apacket disposition directive 154 that may request one or more of theswitches 132, 134, 136 to generate network traffic 124 in response to aspecified network condition. A port mod refers, generally, to a packetdisposition directive 154 that can enable or disable a port of a networkswitch 130. Packet disposition directives 154 can be produced by, forexample, the network administrator and/or by any one or more of thenetwork applications 110, 112. The packet disposition directives 154 mayconform to or extend a software-defined network protocol implemented bythe network controller/switch interface 120. For example, in someembodiments, the packet disposition directives 154 may be OpenFlowmessages. In some embodiments, the packet disposition directives 154 maydirectly correspond to flow rules that can be directly instantiated atthe network switches 132, 134, 136.

As used herein, a “flow rule” refers to packet disposition directives154 that contain logic that, if executed at the network switches 132,134, 136, would control the flow of data packets across the network 100.Thus, the set of all flow rules instantiated on the dynamicallyprogrammable network 100 embodies a current implementation of thenetwork security policy. However, in the dynamically programmablenetwork 100, flow rules, and thus, the network security policy, can bemodified “on the fly” by the packet disposition directives 154. Thus, asused herein, “dynamically” connotes a network in which the flow rules,and thus the security policy, may be constantly varying or changing inresponse to, for example, the then-current network conditions. As usedherein, terms such as “currently active flow rules” or “currently activedirectives” refer generally to the set of flow rules and/or other packetdisposition directives that, at a particular moment in time during theoperation of the network 100, represent the then-current networksecurity policy. As used herein, terms such as “candidate flow rule” or“candidate directive” refer generally to any flow rule or other packetdisposition directive that is not currently part of the set of currentlyactive directives. In other words, “candidate flow rules” refer to flowrules that have not yet been evaluated by the security mediator 172, arecurrently being evaluated by the security mediator 172, or that havebeen evaluated but rejected by the security mediator 172.

To simplify the discussion, flow rules are referred to herein as havingtwo main parts: match criteria and actions. The match criteria determinewhether a flow rule applies to a particular data packet. The matchcriteria include a number of match fields, including those that specifysource and destination criteria for matching data packets to the flowrule. The source and destination match fields each identify particularcomputing resources by any suitable references or identifiers, such asIP addresses, network masks, ports, and the like. In some embodiments,match fields other than source and destination may be used to evaluatethe applicability of a flow rule to a data packet, and in someembodiments, one match criterion or multiple match criteria may be used.

A flow rule may contain one or more actions. The action(s) contained inthe flow rule specify what action(s) are to be taken by a network switchif the flow rule applies to a particular data packet; that is, if thevalues of the match fields of the flow rule match the values of thecorresponding match fields in the header of the data packet. An actionmay specify a disposition for the data packet, for example, to drop,forward, or modify the data packet. Some flow rules may specify that thedata packet's header information is to be modified or rewritten, e.g.,using a “set” action (in OpenFlow terminology), if the flow rule appliesto the packet.

The network applications 110, 112 may each be embodied as any softwareprogram that controls, defines, or otherwise interacts with thedynamically programmable network 100. For instance, the networkapplications 110, 112 may include network security applications and/orother types of software applications running on the network 100. Each ofthe network applications 110, 112 may produce one or more packetdisposition directives 154 that are received or intercepted by thesecurity mediator 172 on their way to the network switches 132, 134,136.

The illustrative embedded network application 110 is embodied as anetwork software application that executes in the same process space asthe security mediation service 150. For example, the embedded networkapplication 110 may be embodied as a loadable module executing withinthe same operating system process as the security mediation service 150.As another example, the embedded network application 110 may be embodiedas a bytecode module loaded from the same archive as the securitymediation service 150.

The illustrative external network application 112 is embodied as anetwork software application that executes outside of the process spaceof the security mediation service 150. For example, the external networkapplication 112 may be embodied as a separate operating system processexecuting on the same computing device as the security mediation service150 or on a remote computing device. In some embodiments, the externalnetwork application 112 may be embodied as a legacy native C OpenFlowapplication that communicates with the security mediation service 150through an inter-process communication (IPC) proxy and IPC interface,where the IPC interface may be embedded in the same process space as thesecurity mediation service 150 but the IPC proxy allows the networkapplication 112 to be embodied as a separate operating system processthat communicates with the security medication service 150 using the IPCproxy. As a separate operating system process, the external networkapplication 112 may execute from a separate, non-privileged account. Inother embodiments, the external network application 112 may be embodiedas a Python OpenFlow application that communicates with the securitymediation service 150 through a Python Simplified Wrapper and InterfaceGenerator (SWIG). For simplicity, only two illustrative networkapplications are shown in FIG. 1. However, the network 100 may includeany number of external and/or embedded network applications 110, 112, orother types of software applications.

In some embodiments, one or more of the network applications 110, 112may be embodied as or include a security directive translator. Thesecurity directive translator may convert commands received from othernetwork applications 110, 112 into packet disposition directives 154that are suitable for submission to the security mediation service 150.For example, the security directive translator may receive high-levelthreat-mitigation directives that are translated into lower-level packetdisposition directives 154. In some embodiments, the security directivetranslator may resolve the higher-level directives using a pre-definedset of security directives, which may include, for example, “block,”“deny,” “allow,” “redirect,” “quarantine,” “undo,” “constrain,” and/or“info” directives. A “block” directive may, for example, implement afull duplex filter between a Classless Inter-Domain Routing (CIDR) blockand the internal network, where the primary use for this command is inblacklist enforcement. The deny, allow, undo, and info directives may besimilar to their firewall counterparts and capable of being refined downto an individual flow rule. A “redirect” directive may, for example,enable a network application 110, 112 to tunnel all flows between asource and given target to a new target. With a redirect, a switch 132,134, 136 may rewrite the packet headers of all applicable network flowssuch that a source cannot tell that its flows have been redirected tothe new target. One application of the “redirect” directive includes theredirection of a malicious scanner into a honeynet. A “quarantine”directive may enable a network application 110, 112 to essentiallyisolate an internal host from the network. A “constrain” directive mayenable a network application 110, 112 to deactivate all current flowrules in the switches 132, 134, 136 that are not set to a specifiedpriority (e.g., flow rules that are non-privileged).

Referring now in more detail to the security mediation service 150 ofFIG. 1, the security mediation service 150 validates the sources of thepacket disposition directives 154, analyzes the packet dispositiondirectives 154 for conflicts with existing flow rules, and performsrole-based conflict resolution. The security mediation service 150detects and resolves conflicts quickly, allowing for real-time ornear-real time control of the network flow rules. The illustrativesecurity mediation service 150 is embodied as a number of computerizedmodules and data structures including a network security credentialstable 156, an aggregate active state table 166, and a security mediator172. Such computerized modules and data structures may execute or beresident on the same computing device or group of computing devices asthe network controller/switch interface 120, and/or on one or more othercomputing devices that are connected to the network 100.

To receive packet disposition directives 154 from the various networkapplications 110, 112, the security mediation service 150 may includeone or more network communication interfaces. For example, packetdisposition directives 154 may be received from an embedded networkapplication 110 using a computer scripting interface. Packet dispositiondirectives 154 may be received from external network applications 112using an inter-process communication mechanism such as pipes, sockets,or the like. For example, packet disposition directives 154 may bereceived through a secure sockets layer (SSL) communication from theexternal network application 112, which may be implemented as a processon a computing device separate from the security mediation service 150.

The security mediator 172 interfaces with the network securitycredentials table 156 to validate the sources or “producers” of packetdisposition directives 154, and interfaces with the aggregate activestate table 166 to maintain the current status of the network securitypolicy as implemented as the set of currently active packet dispositiondirectives. The network security credentials table 156 maintains a trustmodel for the security mediation service 150, which associates thevarious sources of packet disposition directives 154 with one or moresecurity roles, packet disposition capabilities, and digitalauthentication content. As such, the network security credentials table156 includes data relating to the sources 158, security roles 160,capabilities 162, and digital authentication content 164. The sources158 may identify particular users, e.g., network administrators, orparticular network applications 110, 112, which may submit packetdisposition directives 154. The sources 158 may also be referred to byterminology such as “flow rule producers” or “rule insertionrequestors.” The security roles 160 define particular security rolesthat may be assigned to the sources 158. Each role 160 has an associatedpriority, which is used by the security mediation service 150 to resolveflow rule conflicts. In some embodiments, one or more of the roles 160may be extended with sub-roles according to the requirements of aparticular design of the security mediation service 150. In someembodiments, the security roles 160 may include a number of pre-definedroles, e.g.: network administrators, security-related networkapplications 110, 112, and non-security-related applications 110, 112.For example, in some embodiments, the security role 160 associated withnetwork administrators may be assigned the highest priority. Thesecurity role 160 associated with security-related network applications110 may be assigned an intermediate priority that is lower than theadministrator's priority but higher than the priority of otherapplications. For instance, network security applications may produceflow rules that further constrain the network administrator's staticnetwork security policy, based on newly perceived runtime threats orother current network conditions. The lowest-priority security role 160may be assigned to sources 158 that are non-security-related networkapplications 110, 112, or that are unidentified (e.g., not digitallyauthenticated), or that are without an assigned role 160. Each of theroles 160 may be associated with one or more of the capabilities 162.The capabilities 162 define the operations that sources 158 arepermitted to perform on the network 100; for example, the capabilitiesmay include the ability to create, modify, or delete flow rules, theability to create packet-outs, the ability to perform port mods, and thelike. The capabilities 162 may be associated with particular roles 160,in some embodiments. As an example, in accordance with the networksecurity credentials 156, a source 158 may be associated with a role160, and based on the role 160 and/or the digital authentication content164 associated with the source 158, the source 158 may have certainlimited or expanded capabilities 162. The source's 158 role 160 and/orcapabilities 162 may be determined based at least in part on whether thesource 158 has associated digital authentication content 164. Forexample, in some embodiments, whether a source 158 has capabilities 162that include the ability to create packet-outs or perform port mods maydepend upon whether the source 158's identity has been successfullyauthenticated. When a packet disposition directive 154 is evaluated bythe security mediation service 150, the security mediation service 150considers the role 160 and/or capabilities 162 associated with thesource 158 of the packet disposition directive 154.

The digital authentication content 164 stores information needed toidentify and authenticate the sources 158. For example, the digitalauthentication content 164 may store a public key from a digitalcertificate associated with each source 158. For network applications110, 112, the digital authentication content 164 may include anauthentication tuple appropriate for the particular network application.For example, an external network application 112 may be identified by anSSL credential, an identity credential, and an SSL connection. Inanother example, an embedded network application 110 may be identifiedby a digital certificate and a digitally signed bytecode module.

The aggregate active state table 166 tracks the current state of thesecurity policy on the network 100, as embodied in the set of currentlyactive packet disposition directives 168, as it changes over time duringthe operation of the network. The aggregate active state table 166 thusstores data relating to the active directives 168, which represent allof the currently accepted packet disposition directives 154 in thedynamically programmable network 100 at any given moment in time. Theaggregate active state table 166 also stores data relating to thecurrently active roles 170, which reference the security roles 160associated with each of the currently active directives 168.Additionally, the aggregate active state table 166 maintains datarelating to the current state of each of the local flow tables 140 ofthe switches 132, 134, 136 as it changes over time during the operationof the network 100.

The data relating to the active directives 168 may include, for each ofthe currently active directives 168 that includes a flow rule, arepresentation of the flow rule that is referred to herein as an aliasset reduced format, or “alias set reduced rules.” The alias set reducedrules each include an expansion of the flow rule that makes explicit anyfield substitutions that would result from the application of the flowrule to a data packet to which the rule applies. In a simplifiedexample, each alias set reduced rule includes a representation of theactive flow rule itself, a source alias set, a destination alias set, anassociated security role 160, and a disposition (e.g., drop, forward,modify, etc.). The source and destination alias sets are expandedrepresentations of the source and destination match fields of the flowrule, respectively, which incorporate, for example, “set” actiontransformations and wildcards.

The alias sets initially include the values of the source anddestination criteria (e.g., IP addresses, network masks, ports, etc.)specified in the match fields of the flow rule. If the rule's actionallows another value to be substituted for the initial value of a matchfield, using, e.g., a “set” action, the resulting value or values areadded to the associated alias set. Alias set expansion may continue forrelated, subsequent flow rules. The initial alias sets for eachsubsequent flow rule are created for the source and destination matchfields as above. These alias sets are then compared to the alias sets ofthe previous rule. If an alias set intersects with the alias set of theprevious rule, the union of the alias sets is used as the alias set forthe subsequent rule. As used herein, “intersect” connotes, as inmathematics, the generation of a set that contains all elements of a setA that also belong to another set B (or equivalently, all elements of Bthat also belong to A), but no other elements. As used herein, “union”connotes, as in mathematics, the generation of a set that contains allelements of a set A and all elements of another set B, but noduplicates. Such expansion is performed for all of the currently activeflow rules and stored in the aggregate active state table 166.

For example, Table 1 below illustrates a set of three related flow rulesand their associated alias sets. Flow rule 1 matches packets with sourcea and destination c, and includes an action to set a to a′. Thus, forrule 1, the source alias set is (a, a′) and the destination alias set is(c). Rule 2 matches packets with source a′ to destination c and includesan action to set c to b. The source alias set for rule 2 is initially(a′), which intersects with the source alias set for rule 1. Thus, thesource alias set for rule 2 is (a, a′), the union of the source aliassets of rules 1 and 2. Based on the set action, the destination aliasset for rule 2 is (c, b). Lastly, rule 3 matches packets with source a′to destination b and includes an action to forward the data packet. Theinitial source and destination alias sets are (a′) and (b),respectively. These alias sets intersect with the alias sets of rule 2,so the final alias sets of rule 3 are (a, a′) and (c, b).

TABLE 1 Flow rules and alias sets. # Rule Source Alias Set DestinationAlias Set 1 a → c (set a ⇒ a′) (a a′) (c) 2 a′ → c (set c ⇒ b) (a, a′)(c, b) 3 a′ → b forward packet (a, a′) (c, b)

Referring now in more detail to the security mediator 172 of FIG. 1, thesecurity mediator 172 receives the packet disposition directives 154from the network applications 110, 112 and analyzes each of the packetdisposition directives 154 to detect and resolve conflicts with thethen-current security policy as expressed by the active directives 168.Acceptable packet disposition directives 154 are added to the activedirectives 168 and implemented on the switches 132, 134, 136. Theillustrative security mediator 172 is embodied as a number ofcomputerized modules and data structures including a role-based sourceauthenticator 174, a state table manager 176, a conflict analyzer 178,and a switch state change detection module 184.

The role-based source authenticator 174 identifies and authenticates thesource 158 associated with the packet disposition directive 154 andassociates the source 158's role 160 with the packet dispositiondirective 154, as described in detail below in connection with FIG. 2.To perform such authentication and validation, the role-based sourceauthenticator 174 may reference the network security credentials table156.

The state table manager 176 manages and maintains the current state ofthe aggregate active state table 166 and/or the network securitycredentials table 156 as flow rules and/or other directives are added,modified, and deleted from the set of currently active directives. Thestate table manager 176 may operate in conjunction with the switch statechange detection module 184, so that the aggregate active state table168 remains synchronized with the local flow tables 142, 144, 146 at thenetwork switches 132, 134, 136, as described in more detail below.

The conflict analyzer 178 determines, “live”—that is, when a packetdisposition directive 154 is received at the security mediator172—whether to instantiate a packet disposition directive 154 based onits associated role 160. For packet disposition directives 154containing flow rule insertion requests (e.g., candidate flow rules),the conflict analyzer 178 may compare each candidate flow rule to theset of existing active directives 168. Such comparison may detect one ormore rule conflicts, including rule conflicts involving dynamic flowtunneling. As used herein, a “rule conflict” arises when a candidateflow rule seeks to enable a network flow that is otherwise prohibited bythe existing currently active directives 168, or a candidate flow ruleseeks to disable a network flow that is otherwise allowed by theexisting currently active directives 168. For example, conflicts caninclude contradictory or inconsistent rules. Any conflicts betweencandidate flow rules and existing active directives 168 are resolved inaccordance with the network security policy. In some embodiments,conflict detection and conflict resolution may be performed bysub-modules of the conflict analyzer 178, for example by a conflictdetection module 180 and/or a conflict resolution module 182.

The switch state change detection module 184 communicates messagesreceived from the switches 132, 134, 136 relating to the status of thelocal flow tables 140 of each switch 130. In particular, the switchstate change detection module 184 may provide an interface by which theaggregate active state table 166 is updated when any the switches 132,134, 136 perform rule expiration. In some embodiments, the switch statechange detection module 184 may implement a callback routine to receivemessages from the switches 132, 134, 136 and coordinate the state of theswitches 132, 134, 136 with the aggregate active state table 166. Forexample, a switch 130 may reject or refuse flow rule updates whenresources of the switch 132, 134, 136, such as the local flow tables142, 144, 146 are exhausted. In such event, the switch 130 may send amessage to the switch state change detection module 184 signaling suchrejection. In other embodiments, a switch 130 may delete a flow rulebased on the expiration of a defined amount of time (e.g., a “timeout”)and send a message signaling the deletion to the switch state changedetection module 184. The switch state change detection module 184receives such messages and updates the aggregate active state table 166accordingly.

Referring now to FIG. 2, an illustrative method 200 for managing packetdisposition directives 154 “inline,” e.g., as the directives 154 arereceived by the security mediator 172 during the operation of thenetwork 100, is shown. The method 200 may be embodied as computerizedprograms, routines, logic and/or instructions of the computing system710, e.g., as part of the security mediation service 150, for example.At block 210, the method 200 validates the packet disposition directive154 based on its associated security role 160. In some embodiments, therole-based source authenticator 174 may determine the role 160 by firstdetermining the source 158 of the packet disposition directive 154, forexample by validating a digital certificate used by the source 158 tosign the packet disposition directive 154. In other embodiments, thepacket disposition directive 154 may be validated by the act ofsuccessful receipt, for example when transmitted over a secure socketslayer connection that is secured by a digital certificate. As describedabove, the source 158's association with a role 160 may be maintained bythe network security credentials table 156. If the source 158 is notassociated with any role 160, the role-based source authenticator 174may assign the lowest-priority role 160 to the packet dispositiondirective 154.

In block 212, the method 200 determines whether the source 158 ispermitted to perform the requested packet disposition directive 154. Therole-based source authenticator 174 may reference the capabilities 162and/or the role 160 of the requested packet disposition directive 154 todetermine whether the requested disposition is permitted. For example,sources 158 with lower-priority roles 160 or fewer capabilities 162 maynot be permitted to perform packet-outs or port mods. If the source 158is not permitted to perform the requested directive 154, the method 200branches to block 224 to reject the packet disposition directive 154, asdescribed below. If the source 158 is permitted to perform the requesteddirective 154, the method 200 advances to block 214.

In block 214, the method 200 determines whether a candidate flow ruleincluded in the packet disposition directive 154 conflicts with the setof active directives 168. As described above, the packet dispositiondirective 154 may include a flow rule insertion request describing a“candidate flow rule” to be installed at the network switches 132, 134,136. In some embodiments, the determination of whether a rule conflictexists may be performed by executing an illustrative method 300 shown inFIG. 3. If the method 200 determines at block 214 that the packetdisposition directive 154 includes a candidate flow rule that conflictswith the active directives 168, then the method 200 proceeds to block218 as described below. If the packet disposition directive 154 includesa candidate flow rule that does not conflict with the active directives168 (or the directive 154 does not include a candidate flow rule), themethod 200 branches to block 216.

In block 216, the method 200 determines whether the source of the packetdisposition directive 154 is permitted to add, modify or delete theactive packet disposition directives 168. The method 200 may performsuch determination by referencing the network security credentials table156. The security policy for the dynamically programmable network 100may require that a particular capability 162 be associated with thesource 158 in order to add, modify, or delete active directives 168. Forexample, network administrators or security-related network applications110, 112 may be allowed to add, modify, or delete flow rules, butnon-security-related or unidentified network applications 110, 112 mayonly be allowed to add flow rules that do not conflict with the flowrules produced by the network administrators. Checking the security roleassociated with the directive 154 at this point allows for securityenforcement even when no flow rule conflict exists. For instance, adirective 154 that includes a packet-out can be evaluated in this way.If the source of the directive 154 is permitted to add, modify, ordelete directives 168, the method 200 branches to block 220 as describedbelow. If the source of the directive 154 is not permitted to add,modify, or delete directives 168, the method 200 proceeds to block 224.

In block 224, the method 200 rejects the packet disposition directive154 and may update the aggregate active state table 166 as needed. Themethod 200 may delete any flow rules corresponding to the packetdisposition directive 154 that may have been stored in the aggregateactive state table 166. In some embodiments, the rejection of thedirective 154 may be signaled to the appropriate network application110, 112 through the network controller/switch interface 120.

Referring back to block 214, if the packet disposition directive 154conflicts with the active directives 168, the method 200 proceeds toblock 218, in which the method 200 resolves the rule conflict based onthe security role 160 of the packet disposition directive 154. Themethod 200 determines whether to accept or reject the packet dispositiondirective 154 by comparing the security role 160 of the packetdisposition directive 154 and the particular conflicting rules of theactive directives 168. The method 200 may determine whether to implementthe packet disposition directive 154 at the network switches 132, 134,136 based on whether the candidate flow rule for the packet dispositiondirective 154 has a higher priority than the conflicting active flowrules. In some embodiments, rule conflict resolution may be performed byexecuting an illustrative method 400 shown in FIG. 4.

After completion of block 218, the method 200 proceeds to block 220.Additionally, referring back to block 216, if the source 158 ispermitted to add, modify or delete active directives 168, the method 200also branches to block 220. In block 220, the method 200 determineswhether to add the packet disposition directive 154 to the set of activedirectives 168. The method 200 may add the packet disposition directive154 to the set of active directives 168 if there is no conflict and thesource 158 is permitted to add, modify, or delete flow rules, or ifthere is a conflict that was resolved in favor of overriding an activeflow rule with the candidate flow rule. The method 200 may not add thepacket disposition directive 154 to the set of active directives 168 ifthere is a rule conflict and the conflict was resolved in favor ofrejecting the candidate flow rule. If the method 200 determines not toadd the packet disposition directive 154 to the set of active directives168, the method 200 branches to block 224 to reject the packetdisposition directive 154, as described above. If the method 200determines to add the packet disposition directive 154 to the set ofactive directives, the method 200 proceeds to block 222.

In block 222, the method 200 instantiates the newly-approved packetdisposition directive 154 at the network switches 132, 134, 136 andupdates the aggregate active state table 166 accordingly. To instantiatethe packet disposition directive 154, the security mediation service 150may communicate packet disposition updates 122 to the switches 132, 134,136. For example, the network controller/switch interface 120 may sendappropriate OpenFlow commands to the switches 132, 134, 136 to implementa newly-approved candidate flow rule and to purge any inconsistentactive flow rules from the local flow tables 142, 144, 146. In responseto receiving the packet disposition updates 122, each of the switches132, 134, 136 inserts appropriate flow control rules into the respectivelocal flow table 142, 144, 146. The aggregate active state table 166 maybe updated to include the packet disposition directive 154 as part ofthe active directives 168. Conflicting active flow rules may be purgedfrom the aggregate active state table 166 and from the local flow tables142, 144, 146. Additionally, the state of the switches 132, 134, 136 maybe recorded in the aggregate active state table 166. As described above,the switch state change detection module 184 may register one or morecallback functions in order to keep the aggregate active state table 166synchronized with the current state of the switches 132, 134, 136.

The security mediation service 150 may coordinate the communication ofthe packet disposition updates 122 to the network switches 132, 134, 136to maintain the consistency and correctness of the dynamicallyprogrammable network 100. In some embodiments, the security mediationservice 150 may first communicate the packet disposition updates 122 tothe most distant network switch. For example, consider that of theswitches 132, 134, and 136, network switch 136 is most distant from thenetwork controller/switch interface 120 in terms of geography, latency,network topography, or the like. The security mediation service 150 maysend the packet disposition updates 122 to the network switch 136 beforethe network switches 132, 134. Alternatively or additionally, in someembodiments the security mediation service 150 may first communicate thepacket disposition updates 122 to all network switches that did nottrigger the packet disposition directive 154 before communicating thepacket disposition updates 122 to the triggering network switch. Packetdisposition updates 122 may be triggered by network switches in severalcircumstances. For example, the network switch 136 may request a flowrule after encountering a data packet that does not match any rules inthe local flow table 146. As another example, a network application 110,112, may trigger packet disposition updates 122 based on activityobserved at the network switch 136. In such embodiments, the securitymediation service 150 may communicate the packet disposition updates 122to the network switches 132, 134 before communicating them to thenetwork switch 136. Such ordering ensures that the state of the network100 remains consistent and correct across all of the network devices.

Conflict Detection

Referring now to FIG. 3, the method 300 for determining whether acandidate flow rule conflicts with any of the active directives 168 isshown. The method 300 may be embodied as computerized programs,routines, logic and/or instructions of the computing system 710, e.g.,as part of the conflict detection module 180, for example. In block 310,the method 300 derives the source alias set and destination alias setfor the candidate flow rule. Derivation of alias sets is described abovewith respect to the aggregate active state table 166 of FIG. 1.

In block 312, the method 300 compares the alias sets for the candidateflow rule to the alias sets of each of the active flow rules in the setof active directives 168. Illustratively, the candidate flow rule iscompared to the active directives 168 in decreasing priority order. Theactive directives 168 may be stored in sorted order, or may be sortedprior to such comparison. In block 314, the method 300 determineswhether the disposition specified in the candidate flow rule equals thedisposition of the active flow rule. For example, the dispositions areequal when both are forward or both are drop. If the dispositions areboth forward or both drop, then the two flow rules do not conflict.Thus, if the dispositions are equal, the method 300 skips ahead to block320, described below. If the dispositions are not both forward or bothdrop, the method 300 advances to block 316.

In block 316, the method 300 compares the candidate flow rule alias setsto the active flow rule alias sets. As described above, the alias setsfor the active flow rule may be pre-computed, for example when stored asan alias set reduced rule in the aggregate active state table 166. Inblock 318, the method 300 determines whether the alias sets of thecandidate flow rule intersect with the alias sets of the active flowrule. That is, the method 300 determines whether both the source aliassets of each flow rule intersect and the destination alias sets of eachflow rule intersect. Because the match field for each flow rule mayinclude wildcards and/or network masks, for example, in this context setintersection is evaluated by determining whether each fieldspecification is more encompassing (“wider”), more specific (“narrower”)or equal to another field specification. If the alias sets intersect, aconflict has been identified. In other words, a conflict exists when thealias set for an active flow rule intersects with the alias set of thecandidate flow rule and the action part of both the active flow rule andthe candidate flow rule are not equal. Where the active directives 168are evaluated in decreasing priority order, there may be no need to testfurther active flow rules once a conflict has been found, and the method300 returns to block 218 of FIG. 2. In some embodiments, however, themethod 300 may continue on to block 320 and continue to evaluate the oneor more of the remaining active flow rules 168, before returning toblock 218 of FIG. 2. If the alias sets of the candidate and active flowrules do not intersect, then no conflict has been found and the method300 advances to block 320.

In block 320, the method 300 determines whether the active directives168 include additional active flow rules to be evaluated. If there areadditional active flow rules to be evaluated, the method 300 loops backto block 314 to compare the next active flow rule to the candidate flowrule. If no additional active flow rules are to be evaluated, the method300 returns to block 216 of FIG. 2.

Conflict Resolution

Referring now to FIG. 4, the illustrative method 400 for resolvingconflicts between the candidate flow rule and the conflicting activedirectives 168 is shown. The method 400 may be embodied as computerizedprograms, routines, logic and/or instructions of the computing system710, e.g., as part of the conflict resolution module 182, for example.In block 410, the method 400 determines whether the role 160 of thecandidate flow rule has greater priority than the role 160 of eachconflicting active flow rule. If so, the method 400 branches to block412, in which the method 400 overrides the active flow rule with thecandidate flow rule. To do so, the method 400 may update the aggregateactive state table 166 to purge the currently active flow rule and addthe newly-approved packet disposition directive. Thus, packetdisposition directives 154 issued from higher-priority security roles160 may modify or replace already-existing, lower-priority flow rules,which may allow administrators and security-related network applications110, 112 to define security policy and respond to active securitythreats.

Referring back to block 410, if the role 160 of the candidate flow ruleis not of greater priority than the role 160 of the conflicting activeflow rule, the method 400 advances to block 414. In block 414, themethod 400 determines whether the role 160 of the candidate flow rule isequal in priority to the role 160 of the conflicting active flow rule.If the role priorities are equal, the method 400 branches to block 416,in which the method 400 determines how to dispose the candidate flowrule based on the network security policy. The security policy may beconfigured by an administrator of the dynamically programmable network100 or by an administrator of the security mediation service 150, forexample. In some embodiments, the candidate flow rule may override theactive flow rule, effectively enforcing a “most recent” flow rulesecurity policy. In other embodiments, the candidate flow rule may berejected, thereby protecting the prior active flow rule frommodification.

Referring back to block 414, if the role 160 of the packet dispositiondirective 154 is not of equal or greater priority to the role 160 of theconflicting active flow rule, then the method 400 advances to block 418.In block 418, the method 400 rejects the candidate flow rule. In suchcircumstances, the candidate flow rule has a lower priority than thecurrently active flow rules. Therefore, higher-priority flow rules maynot be changed by conflicting packet disposition directives 154 issuedfrom lower-priority security roles 160.

Aggregate Active State Manager

Referring now to FIG. 5, an illustrative method 500 for managing theaggregate active state table 166 is shown. The method 500 may beembodied as computerized programs, routines, logic and/or instructionsof the switch state change detection module 184, for example. The method500 may execute asynchronously or concurrently with the other processesof the security mediation service 150. In block 510, the method 500determines whether a state change has occurred at one of the networkswitches 132, 134, 136. In some embodiments, the switch state changedetection module 184 may poll the network switches 132, 134, 136 fortheir status. In some embodiments, the switch state change detectionmodule 184 may handle notifications received from the switches 132, 134,136, for example by registering a callback function. The switches 132,134, 136 may notify the security mediation service 150 whenever thecontent of the local flow tables 140 changes, for example, when a flowrule is deleted upon a timeout. In some embodiments, when communicationwith the switches 132, 134, 136 is lost, the switch state changedetection module 184 may simulate the operation of the switches 132,134, 136 and predict the expiration of flow rules. If a state change isnot detected, the method 500 loops back to continue detecting statechanges at block 510. If a state change is detected, the method 500advances to block 512.

In block 512, the method 500 updates the aggregate active state table166 based on the type of detected state change. For example, for adeletion event, the switch state change detection module may purge theassociated entries in the aggregate active state table 166 to match thestate of the network switches 132, 134, 136.

Source Authentication

Referring now to FIG. 6, an illustrative method 600 for registeringsources 158 of packet disposition directives 154 is shown. The method600 may be embodied as computerized programs, routines, logic and/orinstructions of the computing system 710, e.g., as part of the securitymediation service 150, for example. The method 600 may be executed aheadof time or otherwise in an out-of-band fashion to prepare the securitymediation service 150 to receive packet disposition directives 154.

The method 600 begins with block 610, in which the security mediationservice 150 receives a registration request from a source 158. Theregistration request may identify the source 158, for example as anetwork application 110, 112 or as a network administrator. Theregistration request may present credentials associated with the source158. Such credentials may include, for example, a digital signature or apublic key associated with the source 158, which can be used toauthenticate digitally-signed directives 154. In block 612, the method600 authenticates the source 158. The method 600 may validate thecredentials supplied by the source 158 to confirm the identity of thesource 158. The method 600 may store the supplied credentials or dataderived from the supplied credentials in the digital authenticationcontent 164. In block 614, the method 600 updates the network securitycredentials table 156 to assign a role 160 and capabilities 162 to thesource 158 based on, for example, information received during the sourceregistration. In some embodiments, the source 158's role 160 and/orcapabilities 162 may vary depending upon whether the source has supplieda digital signature or public key. In some embodiments, the source 158'srole 160 and/or capabilities 162 may vary depending on a communicationchannel or an operating system process associated with the source 158.For instance, in some embodiments, a lower-priority role may be assignedto external network applications 112 and a higher priority role may beassigned to embedded network applications 110. As another example, alower-priority role may be assigned to external applications 112 thatcommunicate with the security mediation service 150 using an IPC proxyand IPC interface. As a further example, an un-authenticated source mayhave fewer capabilities 162 than a source 158 that has been successfullyauthenticated. The assignment of role 160 and capabilities 162 tosources 158 may depend on enterprise policy. In some embodiments, theassignment of roles 160 to sources 158 may be performed by a networkadministrator, e.g., during registration of the sources and/or prior todeployment of the dynamically programmable network 100.

Example Usage Scenarios

In one example, the security mediation service 150 can mediate “live”flow rule interactions between a reflector net and legacy networksecurity applications; that is, as they occur. In this example, anetwork application 110 implements a “reflector net.” The reflector netperforms two basic operations: first, the reflector net detects anactive malicious scanner. Second, upon detection of the active maliciousscanner, the reflector net dynamically reprograms the network 100 toredirect all of the malicious scanner's flow into a remote honeynet. Asa security-related application, the network application 110 is assignedan intermediate-priority security role 160, which is lower than thepriority assigned to network administrators but higher than the priorityassigned to non-security related applications.

Continuing this example, an external network application 112 implementsan ordinary firewall using a legacy flow control interface to thesecurity mediation service 150. The firewall implements the staticsecurity policy as defined by the network administrator for the network100, and thus is associated with the highest-priority security role 160.

At runtime, the network application 110 may attempt to insert flow rulesto redirect traffic based on detected threats from an already-firewalledremote host. These candidate flow rules may conflict with active flowrules previously inserted by the network application 112; for example,proposed redirect rules may conflict with deny rules of the firewall. Ifthe new rules conflict, the firewall rules of the network application112 should have the higher-priority role. Therefore, the securitymediation service 150 will deny and prevent the implementation of suchconflicting rules submitted by the network application 110.

Implementation Examples

Referring now to FIG. 7, a simplified block diagram of an exemplaryhardware environment 700 in which the security mediation service 150 maybe implemented, is shown. The illustrative implementation 700 includes acomputing system 710, which may implement the network controller/switchinterface 120, the security mediation service 150, and/or one or more ofthe network security applications 110, 112 on a single computing deviceor multiple computing devices that are coupled to the network 100.

The illustrative computing system 710 includes at least one processor712 (e.g. a microprocessor, microcontroller, digital signal processor,etc.), memory 714, and an input/output (I/O) subsystem 716. Thecomputing system 710 may be embodied as any type of computing device(s)such as a personal computer (e.g., desktop, laptop, tablet, smart phone,body-mounted device, etc.), a server 190, an enterprise computer system,a network of computers, a combination of computers and other electronicdevices, or other computing devices. Although not specifically shown, itshould be understood that the I/O subsystem 716 typically includes,among other things, an I/O controller, a memory controller, and one ormore I/O ports. The processor 712 and the I/O subsystem 716 arecommunicatively coupled to the memory 714. The memory 714 may beembodied as any type of suitable computer memory device (e.g., volatilememory such as various forms of random access memory).

The I/O subsystem 716 is communicatively coupled to a number ofcomponents including one or more data storage devices 718 andcommunication circuitry 720. Although not specifically shown, one ormore user input devices (e.g., keyboard, touch screen, etc.) and outputdevices (e.g., a display) may be coupled to the I/O subsystem 716 toallow a human operator, such as a network administrator, to, forexample, establish and update a network security policy. The datastorage 718 may include one or more hard drives or other suitable datastorage devices (e.g., flash memory, memory cards, memory sticks, and/orothers). In some embodiments, the aggregate active state table 166and/or the network security credentials table 156 may reside in thestorage media 718. In some embodiments, portions of systems software(e.g., an operating system, etc.), framework/middleware (e.g., APIs,object libraries, etc.), and/or the security mediation service 150reside at least temporarily in the storage media 718. Portions ofsystems software, framework/middleware, and/or the security mediationservice 150 may be copied to the memory 714 during operation of thecomputing system 710, for faster processing or other reasons. In someembodiments, portions of the security mediation service 150 may bedistributed across multiple computing devices (e.g., servers 190) on thenetwork 100.

The communication circuitry 720 communicatively couples the computingsystem 710 to a the network 100, which may be a local area network, widearea network, personal cloud, enterprise cloud, public cloud, and/or theInternet, for example. Accordingly, the communication circuitry 720 mayinclude one or more wired or wireless network interface cards oradapters, for example, as may be needed pursuant to the specificationsand/or design of the particular computing system 710. The communicationcircuitry 720 may be used by the network controller/switch interface 120to communicate with the network switches 132, 134, 136 in order tocontrol and define the dynamically programmable network 100. Forexample, the communication circuitry 720 may include one or morededicated control channels for communication with one or more of thenetwork switches 132, 134, 136.

The computing system 710 may include other components, sub-components,and devices not illustrated in FIG. 7 for clarity of the description. Ingeneral, the components of the computing system 710 are communicativelycoupled as shown in FIG. 7 by electronic signal paths, which may beembodied as any type of wired or wireless signal paths capable offacilitating communication between the respective devices andcomponents.

GENERAL CONSIDERATIONS

In the foregoing description, numerous specific details, examples, andscenarios are set forth in order to provide a more thoroughunderstanding of the present disclosure. It will be appreciated,however, that embodiments of the disclosure may be practiced withoutsuch specific details. Further, such examples and scenarios are providedfor illustration, and are not intended to limit the disclosure in anyway. Those of ordinary skill in the art, with the included descriptions,should be able to implement appropriate functionality without undueexperimentation.

References in the specification to “an embodiment,” etc., indicate thatthe embodiment described may include a particular feature, structure, orcharacteristic, but every embodiment may not necessarily include theparticular feature, structure, or characteristic. Such phrases are notnecessarily referring to the same embodiment. Further, when a particularfeature, structure, or characteristic is described in connection with anembodiment, it is believed to be within the knowledge of one skilled inthe art to effect such feature, structure, or characteristic inconnection with other embodiments whether or not explicitly indicated.

Embodiments in accordance with the disclosure may be implemented inhardware, firmware, software, or any combination thereof. Embodimentsmay also be implemented as instructions stored using one or moremachine-readable media, which may be read and executed by one or moreprocessors. A machine-readable medium may include any mechanism forstoring or transmitting information in a form readable by a machine(e.g., a computing device or a “virtual machine” running on one or morecomputing devices). For example, a machine-readable medium may includeany suitable form of volatile or non-volatile memory.

Modules, data structures, and the like defined herein are defined assuch for ease of discussion, and are not intended to imply that anyspecific implementation details are required. For example, any of thedescribed modules and/or data structures may be combined or divided intosub-modules, sub-processes or other units of computer code or data asmay be required by a particular design or implementation of the securitymediation service 150.

In the drawings, specific arrangements or orderings of schematicelements may be shown for ease of description. However, the specificordering or arrangement of such elements is not meant to imply that aparticular order or sequence of processing, or separation of processes,is required in all embodiments. In general, schematic elements used torepresent instruction blocks or modules may be implemented using anysuitable form of machine-readable instruction, and each such instructionmay be implemented using any suitable programming language, library,application-programming interface (API), and/or other softwaredevelopment tools or frameworks. Similarly, schematic elements used torepresent data or information may be implemented using any suitableelectronic arrangement or data structure. Further, some connections,relationships or associations between elements may be simplified or notshown in the drawings so as not to obscure the disclosure.

This disclosure is to be considered as exemplary and not restrictive incharacter, and all changes and modifications that come within the spiritof the disclosure are desired to be protected.

1-20. (canceled)
 21. A method for synchronizing a plurality ofprogrammable network devices with a dynamic set of flow rules, themethod comprising: storing, in an aggregate state table, aggregate statedata and local state data; wherein the aggregate state data isrepresentative of a current state of a network policy and the localstate data is representative of a current state of a local policy;wherein the network policy comprises at least one flow rule thatcontrols sending and receiving of network traffic by a plurality ofprogrammable network devices; wherein the local policy comprises atleast one flow rule that controls sending and receiving of networktraffic by a local device of the plurality of programmable networkdevices; in response to the aggregate state table indicating that anetwork policy change has occurred, causing the local device to add thenetwork policy change to the local policy; wherein the method isperformed by one or more computing devices.
 22. The method of claim 21,comprising, in response to a conflict between the network policy changeand the local policy, causing the local device to delete any portion ofthe local policy that conflicts with the network policy change.
 23. Themethod of claim 21, comprising, in response to a conflict between thenetwork policy and a local policy change, updating the aggregate statetable to indicate the local policy change.
 24. The method of claim 21,comprising, in response to a communication indicating that the localdevice has deleted a flow rule due to a timeout, updating the aggregatestate table to indicate that the flow rule has been deleted by the localdevice.
 25. The method of claim 21, comprising coordinating the networkpolicy with the local policy by registering a callback function toreceive communications from the local device.
 26. The method of claim21, comprising, in response to a communication indicating that the localdevice has rejected a flow rule due to exhaustion of a local flow table,updating the aggregate state table to indicate that the flow rule hasbeen rejected by the local device.
 27. The method of claim 21,comprising, in response to determining that communication with the localdevice has been lost, simulating operation of the local device.
 28. Themethod of claim 21, comprising predicting an expiration of a flow ruleat the local device.
 29. The method of claim 21, comprising, in responseto an indication that a flow rule has been successfully added to thelocal device, adding the flow rule to the aggregate state data.
 30. Oneor more non-transitory computer readable storage media storinginstructions executable to cause one or more processors to performoperations comprising: storing, in an aggregate state table, aggregatestate data and local state data; wherein the aggregate state data isrepresentative of a current state of a network policy and the localstate data is representative of a current state of a local policy;wherein the network policy comprises at least one flow rule thatcontrols sending and receiving of network traffic by a plurality ofprogrammable network devices; wherein the local policy comprises atleast one flow rule that controls sending and receiving of networktraffic by a local device of the plurality of programmable networkdevices; in response to the aggregate state table indicating that anetwork policy change has occurred, causing the local device to add thenetwork policy change to the local policy.
 31. The one or morenon-transitory computer readable storage media of claim 30, wherein theinstructions are executable to cause the one or more processors toperform operations comprising, in response to a conflict between thenetwork policy change and the local policy, causing the local device todelete any portion of the local policy that conflicts with the networkpolicy change; in response to a conflict between the network policy anda local policy change, updating the aggregate state table to indicatethe local policy change.
 32. The one or more non-transitory computerreadable storage media of claim 30, wherein the instructions areexecutable to cause the one or more processors to perform operationscomprising, in response to a communication indicating that the localdevice has deleted a flow rule due to a timeout, updating the aggregatestate table to indicate that the flow rule has been deleted by the localdevice; in response to a communication indicating that the local devicehas rejected a flow rule due to exhaustion of a local flow table,updating the aggregate state table to indicate that the flow rule hasbeen rejected by the local device; in response to determining thatcommunication with the local device has been lost, simulating theoperation of the local device; in response to an indication that a flowrule has been successfully added to the local device, adding the flowrule to the aggregate state data.
 33. The one or more non-transitorycomputer readable storage media of claim 30, wherein the instructionsare executable to cause the one or more processors to perform operationscomprising coordinating the network policy with the local policy byregistering a callback function to receive communications from the localdevice.
 34. The one or more non-transitory computer readable storagemedia of claim 30, wherein the instructions are executable to cause theone or more processors to perform operations comprising predicting anexpiration of a flow rule at the local device.
 35. A system comprising:one or more processors; and one or more non-transitory computer readablestorage media storing instructions executable to cause the one or moreprocessors to perform operations comprising: storing, in an aggregatestate table, aggregate state data and local state data; wherein theaggregate state data is representative of a current state of a networkpolicy and the local state data is representative of a current state ofa local policy; wherein the network policy comprises at least one flowrule that controls sending and receiving of network traffic by aplurality of programmable network devices; wherein the local policycomprises at least one flow rule that controls sending and receiving ofnetwork traffic by a local device of the plurality of programmablenetwork devices; in response to the aggregate state table indicatingthat a network policy change has occurred, causing the local device toadd the network policy change to the local policy; in response to anindication that a flow rule has been successfully added to the localdevice, adding the flow rule to the aggregate state data.
 36. The systemof claim 35, wherein the instructions are executable to cause the one ormore processors to perform operations comprising, in response to aconflict between the network policy change and the local policy, causingthe local device to delete any portion of the local policy thatconflicts with the network policy change; in response to a conflictbetween the network policy and a local policy change, updating theaggregate state table to indicate the local policy change.
 37. Thesystem of claim 35, wherein the instructions are executable to cause theone or more processors to perform operations comprising, in response toa communication indicating that the local device has deleted a flow ruledue to a timeout, updating the aggregate state table to indicate thatthe flow rule has been deleted by the local device.
 38. The system ofclaim 35, wherein the instructions are executable to cause the one ormore processors to perform operations comprising coordinating thenetwork policy with the local policy by registering a callback functionto receive communications from the local device.
 39. The system of claim35, wherein the instructions are executable to cause the one or moreprocessors to perform operations comprising, in response to acommunication indicating that the local device has rejected a flow ruledue to exhaustion of a local flow table, updating the aggregate statetable to indicate that the flow rule has been rejected by the localdevice.
 40. The system of claim 35, wherein the instructions areexecutable to cause the one or more processors to perform operationscomprising predicting an expiration of a flow rule at the local device.